Customizing Bearer Authentication Middleware Responses

[marceloverdijk]

In general I want my API to return json responses also in case of errors, invalid requests or if a resource does not exist.

I'm using the Bearer Authentication Middleware and it works nicely, except that it returns a text response in case of invalid token or if the authorization header was not provided at all.

I would like to send a response like below if e.g. the token was not provided, instead of the general "Bad Request" response from the middleware.

{
  "error": {
    "message": "You did not provide an API token. You need to provide your API token in the Authorization header, using Bearer auth (e.g. 'Authorization: Bearer YOUR_API_TOKEN').",
    "type": "invalid_request_error"
  }
}

Would this be possible already?

Or would it be better to create my own middleware to achieve this?

@yusukebe would you be open to be able to customize the response in the current middleware? In that case I have some ideas and I could provide a PR.

[marceloverdijk]

The hono-rate-limiter has a quite nice approach for doing something similar.
They provide an option in the middleware to provide a custom message which can ben a string, object or function and based on that either c.text() or c.json() is used to return the response.

https://github.com/rhinobase/hono-rate-limiter/blob/main/packages/core/src/core.ts#L40C1-L50C7

    message = "Too many requests, please try again later.", 
    ..
    handler = async (c, _, options) => {
      c.status(options.statusCode);

      const responseMessage =
        typeof options.message === "function"
          ? await options.message(c)
          : options.message;

      if (typeof responseMessage === "string") return c.text(responseMessage);
      return c.json(responseMessage);
    },

The Hono Bearer Authentication Middleware is a bit different as it return a HTTPException.

      if (!match) {
        // Invalid Request
        const res = new Response('Bad Request', {
          status: 400,
          headers: {
            'WWW-Authenticate': `${wwwAuthenticatePrefix}error="invalid_request"`,
          },
        })
        throw new HTTPException(400, { res })
      }

[marceloverdijk]

@yusukebe I was thinking something like below.

So instead of currently in Bearer Authentication Middleware:

  return async function bearerAuth(c, next) {
    const headerToken = c.req.header(options.headerName || HEADER)
    if (!headerToken) {
      // No Authorization header
      const res = new Response('Unauthorized', {
        status: 401,
        headers: {
          'WWW-Authenticate': `${wwwAuthenticatePrefix}realm="` + realm + '"',
        },
      })
      throw new HTTPException(401, { res })
    } ..

it could be something like:

  return async function bearerAuth(c, next) {
    const headerToken = c.req.header(options.headerName || HEADER)
    if (!headerToken) {
      // No Authorization header
      // use new options.unauthorizedMessage to override message, default just 'Unauthorized' 
      const responseMessage = typeof options.unauthorizedMessage === 'function'
        ? await options.unauthorizedMessage(c)
        : options.unauthorizedMessage;
      const status = 401
      const headers = {
        'WWW-Authenticate': `${wwwAuthenticatePrefix}realm="${realm}"`,
      }
      const res = (typeof responseMessage === 'string')
        ? new Response(responseMessage, { status, headers })	  
        : new Response(JSON.stringify(responseMessage), {
          status, 
          headers: { 
            ...headers,
            'content-type': 'application/json; charset=UTF-8' 
          }
        })	  
      throw new HTTPException(status, { res })
    } ..

[marceloverdijk]

Sure, I will create a PR this evening when at home.

[yusukebe]

Thanks!

[marceloverdijk]

Btw we could either provide 2 options for the responses messages or perhaps 3.

• unauthorizedMessage
• badRequestmessage

Or more fine grained:

• noAuthenticationHeaderMessage
• invalidAuthenticationHeaderMeasage
• invalidTokenMessage

Do you have a preference or maybe other ideas?

[yusukebe]

I prefer:

noAuthenticationHeaderMessage
invalidAuthenticationHeaderMeasage
invalidTokenMessage

[marceloverdijk]

@yusukebe here we go: PR #3362

Let me know if you prefer things differently, then I will update the PR accordingly.
Note: it updates both the Basic and Bearer Authentication Middlewares to have consistent behavior.